Risk Management Concepts and the CISSP (Part 1) - Security Boulevard

Risk Management Concepts and the CISSP (Part 1)

The Certified Information Systems Security Professional (CISSP) is an information security certification that was developed by the International Information Systems Security Certification Consortium, also known as (ISC) ². The risk management is one of the modules of CISSP training that entails the identification of an organization’s information assets and the development, documentation, implementation, and updating of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability.

Management tools such as risk assessment and risk analysis are used to identify threats, classify assets, and to rate their vulnerabilities so that effective security measures and controls can be implemented. The process of risk management is carried out to identify potential risks, tools, practices, rate and reduce the risk to specific resources of an organization.

Risk Management Concepts

Beyond basic security fundamentals, the concepts of risk management are perhaps the most important and complex part of the information security and risk management domain. It is necessary for the candidate to understand all the core concepts of risk management like risk assessment methodologies, risk calculations, and safeguard selection criteria and objectives.

A risk comprises a threat and a vulnerability of an asset, defined as follows:

Threat: Any natural or man-made circumstance that could have an adverse impact on an organizational asset.

Vulnerability: The absence or weakness of a safeguard in an asset that makes a threat potentially more likely to occur, or likely to occur more frequently.

Asset: An asset is a resource, process, product, or system that has some value to an organization and must, therefore, be protected.

The Threat, Vulnerability, and Assets are known as the risk management triples. It is the main concept that is covered in risk management from CISSP exam perspective. Risk can never be completely eliminated. Any system or environment, no matter how secure, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Irfan Shakeel. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/UMolKscHCdo/